How to stay ahead of merchant breaches and payment card fraud

The views and opinions expressed in this article are those of the thought leaders as individuals, and are not attributed to CeFPro or any particular organization.

By Stas Alforov, Director of Research & Development, Gemini Advisory

Why is there an increased risk of merchant breaches in real time environment?

Most merchants operate in a real-time environment in which they use automated transactional risk scoring to make split-second decisions about whether a transaction is legitimate or fraudulent. However, even the best transaction risk scoring does nothing to lower merchants’ risk of being breached due to the fact that breaches primarily come from vulnerabilities or human error, which lead to hackers gaining intimate access to the merchant’s website.

What is the impact to organizations of changing behaviour and demographics of customers when trying to stay ahead of merchant breaches?

On the behavioral side, the most diligent online shoppers are intentionally avoiding risky e-commerce sites, especially those sites that use outdated versions of the frequently targeted Magento content management system. With browser plugins that provide a rough trust assessment of merchants and other safe browsing features, online shoppers don’t need technical knowledge to significantly raise their security.

On the demographic side, younger customers are both more likely to shop online and more likely to utilize PayPal, Venmo, Google Pay, and other similar services, for online transactions, thereby adding an additional layer of security. For in-person transactions, a younger customer is also more likely to pay using the ApplePay/SamsungPay/GooglePay tap method, whereas an older customer is more prone to pay using a swipe or chip method (both of which have been linked to weaker security measures).

Can you provide some examples of how fraud risks associated with same day ACH can be mitigated?

While I do not have intimate knowledge on this subject, the most effective mitigation methods for ACH fraud lie at the authentication level. Once a user (who could be the account holder or a malicious actor) has online access to a bank account, ACH transactions have traditionally only required “simplistic” authentication and initiation stage. However, by employing an additional, more robust layer of identity verification for ACH transfers, institutions can further limit the frequency of ACH fraud.

Why is it important to ensure that there is limited impact on clients when implementing additional security measures?

Customers hate the inconvenience of waiting and by extension, the safety measures that cause it (authentication, “processing”, etc.). As a result, we see players across the payment ecosystem—from customers to merchants and financial institutions—make the decision to move toward payment methods, processors, or systems that have a reputation for being faster and more efficient. Unfortunately, what is frequently not expressed is that this decision often results in sacrificing security. Depending on the player, this decision is effectively a trade-off prioritizing brand reputation or customers’ convenience over risk. In this space, choosing ease of use over security has clear short- and long-term implications in the form of breaches, account takeovers, account exploitations, etc.

The views and opinions expressed in this article are those of the thought leaders as individuals, and are not attributed to CeFPro or any particular organization.

By Stas Alforov, Director of Research & Development, Gemini Advisory

Why is there an increased risk of merchant breaches in real time environment?

Most merchants operate in a real-time environment in which they use automated transactional risk scoring to make split-second decisions about whether a transaction is legitimate or fraudulent. However, even the best transaction risk scoring does nothing to lower merchants’ risk of being breached due to the fact that breaches primarily come from vulnerabilities or human error, which lead to hackers gaining intimate access to the merchant’s website.

What is the impact to organizations of changing behaviour and demographics of customers when trying to stay ahead of merchant breaches?

On the behavioral side, the most diligent online shoppers are intentionally avoiding risky e-commerce sites, especially those sites that use outdated versions of the frequently targeted Magento content management system. With browser plugins that provide a rough trust assessment of merchants and other safe browsing features, online shoppers don’t need technical knowledge to significantly raise their security.

On the demographic side, younger customers are both more likely to shop online and more likely to utilize PayPal, Venmo, Google Pay, and other similar services, for online transactions, thereby adding an additional layer of security. For in-person transactions, a younger customer is also more likely to pay using the ApplePay/SamsungPay/GooglePay tap method, whereas an older customer is more prone to pay using a swipe or chip method (both of which have been linked to weaker security measures).

Can you provide some examples of how fraud risks associated with same day ACH can be mitigated?

While I do not have intimate knowledge on this subject, the most effective mitigation methods for ACH fraud lie at the authentication level. Once a user (who could be the account holder or a malicious actor) has online access to a bank account, ACH transactions have traditionally only required “simplistic” authentication and initiation stage. However, by employing an additional, more robust layer of identity verification for ACH transfers, institutions can further limit the frequency of ACH fraud.

Why is it important to ensure that there is limited impact on clients when implementing additional security measures?

Customers hate the inconvenience of waiting and by extension, the safety measures that cause it (authentication, “processing”, etc.). As a result, we see players across the payment ecosystem—from customers to merchants and financial institutions—make the decision to move toward payment methods, processors, or systems that have a reputation for being faster and more efficient. Unfortunately, what is frequently not expressed is that this decision often results in sacrificing security. Depending on the player, this decision is effectively a trade-off prioritizing brand reputation or customers’ convenience over risk. In this space, choosing ease of use over security has clear short- and long-term implications in the form of breaches, account takeovers, account exploitations, etc.